WSL2-Linux-Kernel/arch
Nathan Lynch 10f2cd373e powerpc/xive/spapr: correct bitmap allocation size
[ Upstream commit 19fc5bb93c ]

kasan detects access beyond the end of the xibm->bitmap allocation:

BUG: KASAN: slab-out-of-bounds in _find_first_zero_bit+0x40/0x140
Read of size 8 at addr c00000001d1d0118 by task swapper/0/1

CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.19.0-rc2-00001-g90df023b36dd #28
Call Trace:
[c00000001d98f770] [c0000000012baab8] dump_stack_lvl+0xac/0x108 (unreliable)
[c00000001d98f7b0] [c00000000068faac] print_report+0x37c/0x710
[c00000001d98f880] [c0000000006902c0] kasan_report+0x110/0x354
[c00000001d98f950] [c000000000692324] __asan_load8+0xa4/0xe0
[c00000001d98f970] [c0000000011c6ed0] _find_first_zero_bit+0x40/0x140
[c00000001d98f9b0] [c0000000000dbfbc] xive_spapr_get_ipi+0xcc/0x260
[c00000001d98fa70] [c0000000000d6d28] xive_setup_cpu_ipi+0x1e8/0x450
[c00000001d98fb30] [c000000004032a20] pSeries_smp_probe+0x5c/0x118
[c00000001d98fb60] [c000000004018b44] smp_prepare_cpus+0x944/0x9ac
[c00000001d98fc90] [c000000004009f9c] kernel_init_freeable+0x2d4/0x640
[c00000001d98fd90] [c0000000000131e8] kernel_init+0x28/0x1d0
[c00000001d98fe10] [c00000000000cd54] ret_from_kernel_thread+0x5c/0x64

Allocated by task 0:
 kasan_save_stack+0x34/0x70
 __kasan_kmalloc+0xb4/0xf0
 __kmalloc+0x268/0x540
 xive_spapr_init+0x4d0/0x77c
 pseries_init_irq+0x40/0x27c
 init_IRQ+0x44/0x84
 start_kernel+0x2a4/0x538
 start_here_common+0x1c/0x20

The buggy address belongs to the object at c00000001d1d0118
 which belongs to the cache kmalloc-8 of size 8
The buggy address is located 0 bytes inside of
 8-byte region [c00000001d1d0118, c00000001d1d0120)

The buggy address belongs to the physical page:
page:c00c000000074740 refcount:1 mapcount:0 mapping:0000000000000000 index:0xc00000001d1d0558 pfn:0x1d1d
flags: 0x7ffff000000200(slab|node=0|zone=0|lastcpupid=0x7ffff)
raw: 007ffff000000200 c00000001d0003c8 c00000001d0003c8 c00000001d010480
raw: c00000001d1d0558 0000000001e1000a 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 c00000001d1d0000: fc 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 c00000001d1d0080: fc fc 00 fc fc fc fc fc fc fc fc fc fc fc fc fc
>c00000001d1d0100: fc fc fc 02 fc fc fc fc fc fc fc fc fc fc fc fc
                            ^
 c00000001d1d0180: fc fc fc fc 04 fc fc fc fc fc fc fc fc fc fc fc
 c00000001d1d0200: fc fc fc fc fc 04 fc fc fc fc fc fc fc fc fc fc

This happens because the allocation uses the wrong unit (bits) when it
should pass (BITS_TO_LONGS(count) * sizeof(long)) or equivalent. With small
numbers of bits, the allocated object can be smaller than sizeof(long),
which results in invalid accesses.

Use bitmap_zalloc() to allocate and initialize the irq bitmap, paired with
bitmap_free() for consistency.

Signed-off-by: Nathan Lynch <nathanl@linux.ibm.com>
Reviewed-by: Cédric Le Goater <clg@kaod.org>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20220623182509.3985625-1-nathanl@linux.ibm.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
2022-07-21 21:24:33 +02:00
..
alpha alpha: fix alloc_zeroed_user_highpage_movable() 2022-06-09 10:22:43 +02:00
arc ARC: entry: fix syscall_trace_exit argument 2022-04-27 14:39:00 +02:00
arm ARM: dts: sunxi: Fix SPI NOR campatible on Orange Pi Zero 2022-07-21 21:24:22 +02:00
arm64 arm64: dts: broadcom: bcm4908: Fix cpu node for smp boot 2022-07-21 21:24:23 +02:00
csky csky: patch_text: Fixup last cpu should be master 2022-06-09 10:23:26 +02:00
h8300 Merge branch 'akpm' (patches from Andrew) 2021-09-08 12:55:35 -07:00
hexagon uaccess: fix integer overflow on access_ok() 2022-03-28 09:58:45 +02:00
ia64 ia64: define get_cycles macro for arch-override 2022-05-30 09:29:12 +02:00
m68k m68knommu: fix undefined reference to `mach_get_rtc_pll' 2022-06-14 18:36:15 +02:00
microblaze uaccess: fix nios2 and microblaze get_user_8() 2022-04-08 14:23:18 +02:00
mips MIPS: Remove repetitive increase irq_err_count 2022-06-29 09:03:24 +02:00
nds32 nds32: fix access_ok() checks in get/put_user 2022-03-28 09:58:46 +02:00
nios2 nios2: use fallback for random_get_entropy() instead of zero 2022-05-30 09:29:14 +02:00
openrisc openrisc: start CPU timer early in boot 2022-06-09 10:22:38 +02:00
parisc parisc: Enable ARCH_HAS_STRICT_MODULE_RWX 2022-06-29 09:03:30 +02:00
powerpc powerpc/xive/spapr: correct bitmap allocation size 2022-07-21 21:24:33 +02:00
riscv riscv/mm: Add XIP_FIXUP for riscv_pfn_base 2022-07-12 16:35:01 +02:00
s390 KVM: s390x: fix SCK locking 2022-07-12 16:35:02 +02:00
sh sh: convert nommu io{re,un}map() to static inline functions 2022-07-21 21:24:14 +02:00
sparc signal: Deliver SIGTRAP on perf event asynchronously if blocked 2022-06-09 10:22:48 +02:00
um um: line: Use separate IRQs per line 2022-06-14 18:36:23 +02:00
x86 KVM: x86: Fully initialize 'struct kvm_lapic_irq' in kvm_pv_kick_cpu_op() 2022-07-21 21:24:31 +02:00
xtensa xtensa: Fix refcount leak bug in time.c 2022-06-29 09:03:29 +02:00
.gitignore
Kconfig stack: Constrain and fix stack offset randomization with Clang builds 2022-04-08 14:23:06 +02:00